intelmq.bots.experts.splunk_saved_search package

Submodules

intelmq.bots.experts.splunk_saved_search.expert module

Splunk saved search enrichment export bot

SPDX-FileCopyrightText: 2020 Linköping University <https://liu.se/> SPDX-License-Identifier: AGPL-3.0-or-later

Searches Splunk for fields in an event and adds search results to it.

This bot is quite slow, since it needs to submit a search job to Splunk, get the job ID, poll for the job to complete and then retrieve the results. If you have a high query load, run more instances of the bot.

param Generic IntelMQ HTTP parameters

param auth_token

string, Splunk authentication token

param url

string, base URL of the Splunk REST API

param retry_interval

integer, optional, default 5, number of seconds to wait between polling for search results to be available

param saved_search

string, name of Splunk saved search to run

param search_parameters

map string->string, optional, default {}, IntelMQ event fields to Splunk saved search parameters

param result_fields

map string->string, optional, default {}, Splunk search result fields to IntelMQ event fields

param not_found

list of strings, default [ “warn”, “send” ], what to do if the search returns zero results. All specified actions are performed. Any reasonable combination of: warn: log a warning message send: send the event on unmodified drop: drop the message

param multiple_result_handling

list of strings, default [ “warn”, “use_first”, “send” ], what to do if the search returns more than one result. All specified actions are performed. Any reasonable combination of: limit: limit the search so that duplicates

are impossible

warn: log a warning message use_first: use the first search result ignore: do not modify the event send: send the event on drop: drop the message

param overwrite

bool or null, optional, default null, whether search results replace existing values in the event. If null, trying to set an existing field raises intelmq.exceptions.KeyExists.

intelmq.bots.experts.splunk_saved_search.expert.BOT

alias of intelmq.bots.experts.splunk_saved_search.expert.SplunkSavedSearchBot

class intelmq.bots.experts.splunk_saved_search.expert.SplunkSavedSearchBot(bot_id: str, start: bool = False, sighup_event=None, disable_multithreading: Optional[bool] = None)

Bases: intelmq.lib.bot.Bot

Enrich an event from Splunk search results

auth_token: str = None
init()
multiple_result_handling = ['warn', 'use_first', 'send']
not_found = ['warn', 'send']
overwrite = None
process()
result_fields = {'result field': 'event field'}
retry_interval: int = 5
search_parameters = {'event field': 'search parameter'}
update_event(event, search_result)
url: str = None